Shibboleth Project Pages

Related Pages

Shibboleth Project

Shibboleth at Stanford

In an academic environment, there is frequently a need to share resources
and research across institutional boundaries. Researchers collaborate
with colleagues from other universities, students take classes that are
taught by faculty from other places, and journals and academic resources
are available across many colleges, research institutes, and libraries.
Our current IT environment doesn't make these kind of interactions easy.
The only way to access restricted (i.e. WebAuthed) Stanford materials is
by creating sponsored SUNetIDs for everyone who needs access. Similarly,
accessing resources at our peer institutions requires creating accounts in
their local authentication structure. This is doesn't scale well,
requires remembering lots of passwords, and figuring out how to sign up
(and get sponsored) for all of these authenticators is frequently a pain.

Shibboleth is an Internet2
consortium project that solves this problem by creating a concept of
federated identity management. Any set of parties who use Shibboleth can
create a trust relationship between their authentication systems, and
service providers (websites that require authentication) can allow access
not only to users with local authenticated credentials, but can trust
users with credentials from federated authentication services as well.

Stanford is looking to join a couple of large (dozens of participating
institutions), general-purpose federations as part of the Shibboleth
project (InCommon and
InQueue), and will set up a process
for joining other federations, many of which are special-purpose and may
only have a few members.

Down the road, there's an opportunity for Shibboleth to unite the various
authentication systems at Stanford, including the stanford.edu kerberos
realm and win.stanford.edu active directory domain in a locally maintained
federation. Other authentication entities at Stanford could also choose
to participate. Shibboleth may also turn out to be the best answer for
providing WebAuth-like service to Windows servers running IIS, as Shib has
a more mature Windows presence than WebAuth does.

There are 6 main deliverables for the Shibboleth project:

Build and package a Shibboleth identity provider that will allow
Shibboleth to interface with Stanford's Kerberos realm.

Package a client Shibboleth-interface kit similar to Stanford's
webauth packages

Bring up at least one service provider at Stanford that uses
Shibboleth, and enable Stanford users to use at least one remote
Shibboleth-authenticated service.

Join Stanford to the InCommon and InQueue shibboleth federations

Create a ongoing process by which Stanford can join new
federations.

Modify Stanford policy to allow the IT Services Kerberos 5 realm
to assert stanford.edu identity to federated service providers.

The Shibboleth project team is Bruce Vincent, in charge of policy and
process, Scotty Logan, who has written extensions to our LDAP
infrastructure to support Shibboleth-based directory access, Quanah
Gibson-Mount and Russ Allbery, packaging and production readiness, Digant
Kasundra, client deployment, and Jon Pilat, project manager. Lois Brooks
from SULAIR has been instrumental in getting this project moving, and John
Freshwaters is the project sponsor.